When an education startup called ConnectEDU, a college- and career-counseling website, went bankrupt in April, the company’s assets were put up for sale — and among those assets were troves of users’ personally identifiable information, including the names, email addresses, and phone numbers of more than 20 million students.

One of the successful bidders on that data was a software company with an imperfect track record when it comes to privacy. The now-resigned CEO of Symplicity Corp., which powers universities’ disciplinary record systems, pleaded guilty last month to conspiring to hack into the computer systems of competitors and steal their information. Along with the company’s CTO, who will also plead guilty, he decrypted protected passwords and other private information of universities that used Symplicity’s system. The company has not been charged in the matter.

ConnectEDU’s bankruptcy gained national attention last week when the Federal Trade Commission stepped in, saying the sale of student data violated ConnectEDU’s privacy policy because it did not notify users or give them the chance to delete their information from the site. Many hailed the FTC’s willingness to intervene as a positive sign for student data protection.

But the case itself is also a reminder that bankruptcy can make student data especially vulnerable — allowing it to be parceled and auctioned off to the highest bidder. Education is a tougher market than many developers realize, and as ed-tech takes off and more young startups are founded, some are likely to fail. Many more will eventually be sold to the industry’s bigger players, taking student information along with them.

“The majority of the public isn’t aware of what happens to data when companies are sold or go under,” said Khaliah Barnes, the director of the Student Privacy Project at the Electronic Privacy Information Center, or EPIC, a research nonprofit. “They don’t expect that their information will be sold too.”

Thanks to an increased focus on the importance of protecting student information, most education companies’ privacy policies now promise not to sell user data to third parties. But that pledge almost always comes with an important exception: In the case of the sale of the company or a bankruptcy, student data is an asset much like any other. The FTC objected to the ConnectEDU sale only on the grounds that it violated the company’s privacy policy with regard to notifying users, not the actual data being sold.

When a company is sold — or sells off one of its divisions — information can be transferred from one company to another without users’ consent, and can potentially void the privacy policies that originally bound the data’s use. Bankruptcy cases are especially problematic, said Jamie Hine, a lawyer for the FTC, because assets must be distributed to the highest bidder — leaving companies with no discretion in terms of to whom they must hand over student data.

That can leave information in the hands of a company like Symplicity Corp., with its history of executives who took liberty with users’ private information. In a statement, the company said, “Symplicity is bigger than any one individual, and Mr. Friedler’s behavior is in no way reflective of the company’s hard-earned reputation… All customer information is secure.”

The risks of misusing student data like the information held by ConnectEDU are not abstract, said EPIC’s Barnes. She pointed to a complaint filed by EPIC with the FTC late last year against Scholarships.com, a website that helps students search for and apply to scholarships. EPIC alleges that Scholarships.com gave student information to a marketing affiliate, which then sold the data to advertisers, without properly notifying students.

Some of that data was extraordinarily sensitive, Barnes said: it included students’ medical histories, political affiliations, and even sexual identities. “You’re suddenly getting magazines sent to your home that could out you,” Barnes said. “You can imagine what that impact that could have.”

Scholarships.com did not immediately respond to requests for comment. In a previous statement to Education Week, Scholarships.com clarified that providing sensitive information was optional for users and that targeted advertising was not unique to the website.

Bankruptcy can also pose a problem for student data protection because judges have so much leeway in bankruptcy code, Hine said, including the ability to rewrite or cancel contracts. The judge in the ConnectEDU case ultimately decided with the FTC, requiring the provision that users be notified to be written into the asset sales contracts. Hine said the decision was welcome but unexpected, given that the judge could have bypassed privacy concerns.

The requirements in ConnectEDU’s policy are not standard, said Barnes: “ConnectEDU’s privacy policy was actually much more favorable than most.” Most privacy policies, she said, do not state that they will notify users of sale.

Edmodo, a leading student social learning platform that is widely known as “the Facebook for schools,” says only that “user information may be transferred to or acquired by a third party” in the case of a sale or bankruptcy. Edmodo has more than 33 million users.

In the wake of controversies over usage of student data, much attention has been paid to the privacy policies of education companies, especially startups, analyzing them for how easily many allow third parties to gather information and how much of students’ metadata they store. But that could matter little in the case of a sale, said Hine. Legally, companies purchasing student data do not have to abide by previous privacy policies, unless they are specifically bound to do so by the terms of the sale.

JumpStart, an educational gaming company that had one of the biggest investment financing rounds in ed tech last year, specifically addresses this issue in its privacy policy. The policy says that, in the event of a bankruptcy or sale, “We cannot control the activities of third parties to whom we provide data, and as such we cannot guarantee that they will adhere to the same privacy and security procedures.”